feat/major-revamp #11

Merged
lanson merged 42 commits from fix/various into main 2024-08-17 14:54:28 +00:00
11 changed files with 323 additions and 275 deletions
Showing only changes of commit 7f8d8654a4 - Show all commits

View File

@ -1,3 +1,4 @@
---
repos: repos:
- repo: https://github.com/pre-commit/pre-commit-hooks - repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0 rev: v4.5.0

View File

@ -1,9 +1,10 @@
--- ---
# hashistack deployment playbook # hashistack deployment playbook
- name: "Deploy" - name: "Deploy"
hosts: all, !deployment hosts: "{{ target | default('all, !deployment') }}"
strategy: linear strategy: linear
gather_facts: true gather_facts: true
any_errors_fatal: true
become: true become: true
tasks: tasks:
- name: "Import variables" - name: "Import variables"
@ -12,57 +13,42 @@
tags: tags:
- always - always
# Consul nodes deployment
- name: "Deploy Consul" - name: "Deploy Consul"
tags: tags:
- consul - consul
when: when:
- enable_consul | bool - enable_consul | bool
block:
- name: "Deploy Consul Control Plane"
ansible.builtin.import_tasks:
file: tasks/consul/consul_deploy.yml
when:
- "'consul_servers' in group_names"
- name: "Deploy Consul Agents"
ansible.builtin.include_role:
name: ednz_cloud.hashicorp_consul
when:
- "'consul_agents' in group_names"
- name: "Deploy Haproxy & Keepalived"
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: tasks/haproxy/haproxy_deploy.yml file: tasks/consul/consul_deploy.yml
when:
- enable_haproxy | bool # Haproxy nodes deployment
- "'haproxy_servers' in group_names" - name: "Deploy Proxies"
tags: tags:
- haproxy - haproxy
- name: "Deploy Vault"
ansible.builtin.import_tasks:
file: tasks/vault/vault_deploy.yml
when: when:
- enable_vault | bool - enable_haproxy | bool
- "'vault_servers' in group_names" block:
- name: "Deploy Haproxy & Keepalived"
ansible.builtin.import_tasks:
file: tasks/haproxy/haproxy_deploy.yml
when:
- "'haproxy_servers' in group_names"
# Vault nodes deployment
- name: "Deploy Vault"
tags: tags:
- vault - vault
when:
- enable_vault | bool
ansible.builtin.import_tasks:
file: tasks/vault/vault_deploy.yml
# Nomad nodes deployment
- name: "Deploy Nomad" - name: "Deploy Nomad"
tags: tags:
- nomad - nomad
when: when:
- enable_nomad | bool - enable_nomad | bool
block: ansible.builtin.import_tasks:
- name: "Deploy Nomad Control Plane" file: tasks/nomad/nomad_deploy.yml
ansible.builtin.import_tasks:
file: tasks/nomad/nomad_deploy.yml
when:
- "('nomad_servers' in group_names)"
- name: "Deploy Nomad Clients"
ansible.builtin.include_role:
name: ednz_cloud.hashicorp_nomad
when:
- "('nomad_clients' in group_names)"
- "('nomad_servers' not in group_names)"

View File

@ -0,0 +1,6 @@
---
- name: "Consul agents"
block:
- name: "Deploy Consul Agents"
ansible.builtin.include_role:
name: ednz_cloud.hashicorp_consul

View File

@ -0,0 +1,78 @@
---
- name: "Consul control plane"
block:
- name: "Include ednz_cloud.hashicorp_consul"
ansible.builtin.include_role:
name: ednz_cloud.hashicorp_consul
- name: "Wait for consul cluster to initialize" # noqa: run-once[task]
block:
- name: "Wait for consul nodes to stabilize"
ansible.builtin.wait_for:
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
delay: 10
- name: "Waiting for consul api to respond"
ansible.builtin.uri:
url: "{{ consul_api_addr }}"
validate_certs: no
return_content: yes
status_code:
- 200
until: uri_output.status == 200
retries: 24
delay: 5
register: uri_output
- name: "Initialize consul cluster" # noqa: run-once[task]
community.general.consul_acl_bootstrap:
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
scheme: "{{ consul_api_scheme }}"
state: present
register: _consul_init_secret
when:
- consul_init_server
- hashicorp_consul_configuration.acl.enabled
- name: "Create consul agents token"
when:
- consul_init_server
- hashicorp_consul_configuration.acl.enabled
block:
- name: "Create consul agents token" # noqa: run-once[task] no-handler
block:
- name: "Create consul agent policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
scheme: "{{ consul_api_scheme }}"
validate_certs: false
state: present
name: agents-policy
rules: "{{ consul_default_agent_policy }}"
register: _consul_agent_policy
- name: "Create consul agents token"
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
scheme: "{{ consul_api_scheme }}"
validate_certs: false
accessor_id: "{{ _credentials.consul.tokens.agent.accessor_id }}"
secret_id: "{{ _credentials.consul.tokens.agent.secret_id }}"
policies:
- id: "{{ _consul_agent_policy.policy.ID }}"
state: present
register: _consul_agent_token
- name: "Restart consul service" # noqa: no-handler
ansible.builtin.service:
name: "{{ hashicorp_consul_service_name }}"
state: restarted
throttle: 1
when: _consul_agent_token.changed

View File

@ -1,78 +1,19 @@
--- ---
- name: "Consul" - name: "Consul"
block: block:
- name: "Include ednz_cloud.hashicorp_consul" - name: "Deploy Consul Control Plane"
ansible.builtin.include_role: ansible.builtin.import_tasks:
name: ednz_cloud.hashicorp_consul file: consul_control_plane.yml
- name: "Wait for consul cluster to initialize" # noqa: run-once[task]
block:
- name: "Wait for consul nodes to stabilize"
ansible.builtin.wait_for:
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
delay: 10
- name: "Waiting for consul api to respond"
ansible.builtin.uri:
url: "{{ consul_api_addr }}"
validate_certs: no
return_content: yes
status_code:
- 200
until: uri_output.status == 200
retries: 24
delay: 5
register: uri_output
- name: "Initialize consul cluster" # noqa: run-once[task]
community.general.consul_acl_bootstrap:
bootstrap_secret: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
scheme: "{{ consul_api_scheme }}"
state: present
register: _consul_init_secret
when: when:
- consul_init_server - "'consul_servers' in group_names"
- hashicorp_consul_configuration.acl.enabled tags:
- consul_servers
- name: "Create consul agents token" - name: "Deploy Consul Agents"
ansible.builtin.import_tasks:
file: consul_agents.yml
when: when:
- consul_init_server - "'consul_agents' in group_names"
- hashicorp_consul_configuration.acl.enabled - "'consul_servers' not in group_names"
block: tags:
- name: "Create consul agents token" # noqa: run-once[task] no-handler - consul_agents
block:
- name: "Create consul agent policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
scheme: "{{ consul_api_scheme }}"
validate_certs: false
state: present
name: agents-policy
rules: "{{ consul_default_agent_policy }}"
register: _consul_agent_policy
- name: "Create consul agents token"
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ api_interface_address }}"
port: "{{ consul_api_port[consul_api_scheme] }}"
scheme: "{{ consul_api_scheme }}"
validate_certs: false
accessor_id: "{{ _credentials.consul.tokens.agent.accessor_id }}"
secret_id: "{{ _credentials.consul.tokens.agent.secret_id }}"
policies:
- id: "{{ _consul_agent_policy.policy.ID }}"
state: present
register: _consul_agent_token
- name: "Restart consul service" # noqa: no-handler
ansible.builtin.service:
name: "{{ hashicorp_consul_service_name }}"
state: restarted
throttle: 1
when: _consul_agent_token.changed

View File

@ -0,0 +1,11 @@
---
- name: "Nomad clients"
block:
- name: "Install docker driver"
ansible.builtin.include_role:
name: ednz_cloud.install_docker
when: nomad_driver_enable_docker
- name: "Deploy Nomad Clients"
ansible.builtin.include_role:
name: ednz_cloud.hashicorp_nomad

View File

@ -0,0 +1,82 @@
---
- name: "Nomad control plane"
block:
- name: "Create consul tokens for service registration"
when:
- nomad_init_server
- enable_consul
- nomad_enable_consul_integration
vars:
_consul_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
_consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
_consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
block:
- name: "Create server credentials"
block:
- name: "Create consul server policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
port: "{{ _consul_port }}"
scheme: "{{ _consul_scheme }}"
validate_certs: false
state: present
name: nomad-server-policy
rules: "{{ nomad_consul_integration_server_policy }}"
register: _consul_nomad_server_policy
- name: "Create consul server token" # noqa: no-handler
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
port: "{{ _consul_port }}"
scheme: "{{ _consul_scheme }}"
validate_certs: false
accessor_id: "{{ _credentials.consul.tokens.nomad.server.accessor_id }}"
secret_id: "{{ _credentials.consul.tokens.nomad.server.secret_id }}"
policies:
- id: "{{ _consul_nomad_server_policy.policy.ID }}"
state: present
when: _consul_nomad_server_policy.changed
- name: "Create client credentials"
block:
- name: "Create consul client policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
port: "{{ _consul_port }}"
scheme: "{{ _consul_scheme }}"
validate_certs: false
state: present
name: nomad-client-policy
rules: "{{ nomad_consul_integration_client_policy }}"
register: _consul_nomad_client_policy
- name: "Create consul client token" # noqa: no-handler
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
port: "{{ _consul_port }}"
scheme: "{{ _consul_scheme }}"
validate_certs: false
accessor_id: "{{ _credentials.consul.tokens.nomad.client.accessor_id }}"
secret_id: "{{ _credentials.consul.tokens.nomad.client.secret_id }}"
policies:
- id: "{{ _consul_nomad_client_policy.policy.ID }}"
state: present
when: _consul_nomad_client_policy.changed
- name: "Include ednz_cloud.hashicorp_nomad"
ansible.builtin.include_role:
name: ednz_cloud.hashicorp_nomad
- name: "Initialize nomad cluster" # noqa: run-once[task]
ednz_cloud.hashistack.nomad_acl_bootstrap:
bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}"
api_url: "{{ nomad_api_addr }}"
tls_verify: false
register: _nomad_init_secret
when:
- nomad_init_server
- hashicorp_nomad_configuration.acl.enabled

View File

@ -1,82 +1,19 @@
--- ---
- name: "Nomad" - name: "Nomad"
block: block:
- name: "Create consul tokens for service registration" - name: "Deploy Nomad Control Plane"
ansible.builtin.import_tasks:
file: nomad_control_plane.yml
when: when:
- nomad_init_server - "'nomad_servers' in group_names"
- enable_consul tags:
- nomad_enable_consul_integration - nomad_servers
vars:
_consul_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
_consul_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
_consul_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
block:
- name: "Create server credentials"
block:
- name: "Create consul server policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
port: "{{ _consul_port }}"
scheme: "{{ _consul_scheme }}"
validate_certs: false
state: present
name: nomad-server-policy
rules: "{{ nomad_consul_integration_server_policy }}"
register: _consul_nomad_server_policy
- name: "Create consul server token" - name: "Deploy Nomad Clients"
community.general.consul_token: ansible.builtin.import_tasks:
token: "{{ _credentials.consul.root_token.secret_id }}" file: nomad_clients.yml
host: "{{ _consul_host }}"
port: "{{ _consul_port }}"
scheme: "{{ _consul_scheme }}"
validate_certs: false
accessor_id: "{{ _credentials.consul.tokens.nomad.server.accessor_id }}"
secret_id: "{{ _credentials.consul.tokens.nomad.server.secret_id }}"
policies:
- id: "{{ _consul_nomad_server_policy.policy.ID }}"
state: present
when: _consul_nomad_server_policy.changed
- name: "Create client credentials"
block:
- name: "Create consul client policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
port: "{{ _consul_port }}"
scheme: "{{ _consul_scheme }}"
validate_certs: false
state: present
name: nomad-client-policy
rules: "{{ nomad_consul_integration_client_policy }}"
register: _consul_nomad_client_policy
- name: "Create consul client token"
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_host }}"
port: "{{ _consul_port }}"
scheme: "{{ _consul_scheme }}"
validate_certs: false
accessor_id: "{{ _credentials.consul.tokens.nomad.client.accessor_id }}"
secret_id: "{{ _credentials.consul.tokens.nomad.client.secret_id }}"
policies:
- id: "{{ _consul_nomad_client_policy.policy.ID }}"
state: present
when: _consul_nomad_client_policy.changed
- name: "Include ednz_cloud.hashicorp_nomad"
ansible.builtin.include_role:
name: ednz_cloud.hashicorp_nomad
- name: "Initialize nomad cluster" # noqa: run-once[task]
ednz_cloud.hashistack.nomad_acl_bootstrap:
bootstrap_secret: "{{ _credentials.nomad.root_token.secret_id }}"
api_url: "{{ nomad_api_addr }}"
tls_verify: false
register: _nomad_init_secret
when: when:
- nomad_init_server - "'nomad_clients' in group_names"
- hashicorp_nomad_configuration.acl.enabled - "'nomad_servers' not in group_names"
tags:
- nomad_clients

View File

@ -123,7 +123,3 @@
combine(_config_to_merge, recursive=true) combine(_config_to_merge, recursive=true)
}}" }}"
when: nomad_extra_configuration is defined when: nomad_extra_configuration is defined
- name: "Print nomad configuration"
ansible.builtin.debug:
msg: "{{ hashicorp_nomad_configuration }}"

View File

@ -0,0 +1,90 @@
---
- name: "Vault control plane"
block:
- name: "Create consul token for service registration"
when:
- vault_init_server
- enable_consul
- vault_enable_service_registration
vars:
_consul_vault_sr_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
_consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
_consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
block:
- name: "Create consul vault policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_vault_sr_host }}"
port: "{{ _consul_vault_sr_port }}"
scheme: "{{ _consul_vault_sr_scheme }}"
validate_certs: false
state: present
name: vault-policy
rules: "{{ vault_service_registration_policy }}"
register: _consul_vault_policy
- name: "Create consul vault token" # noqa: no-handler
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_vault_sr_host }}"
port: "{{ _consul_vault_sr_port }}"
scheme: "{{ _consul_vault_sr_scheme }}"
validate_certs: false
accessor_id: "{{ _credentials.consul.tokens.vault.accessor_id }}"
secret_id: "{{ _credentials.consul.tokens.vault.secret_id }}"
policies:
- id: "{{ _consul_vault_policy.policy.ID }}"
state: present
when: _consul_vault_policy.changed
- name: "Include ednz_cloud.hashicorp_consul"
ansible.builtin.include_role:
name: ednz_cloud.hashicorp_vault
- name: "Initialize vault cluster" # noqa: run-once[task]
ednz_cloud.hashistack.vault_init:
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
tls_verify: "{{ vault_tls_verify }}"
key_shares: "{{ vault_seal_configuration['key_shares'] }}"
key_threshold: "{{ vault_seal_configuration['key_threshold'] }}"
retries: 5
delay: 5
register: _vault_init_secret
until: not _vault_init_secret.failed
when: vault_init_server
- name: "Write vault configuration to file" # noqa: run-once[task] no-handler
ansible.builtin.copy:
content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}"
dest: "{{ sub_configuration_directories.secrets }}/vault.yml"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0644"
when:
- vault_init_server
- _vault_init_secret.changed
delegate_to: localhost
- name: "Load vault cluster variables necessary for unseal operation"
ansible.builtin.import_tasks:
file: ../misc/load_credentials_vars.yml
- name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler
ednz_cloud.hashistack.vault_unseal:
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
tls_verify: "{{ vault_tls_verify }}"
key_shares: "{{ _credentials.vault['keys'] }}"
when:
- vault_init_server
- _vault_init_secret.changed
register: _vault_unseal_secret
- name: "Unseal all vault nodes"
ednz_cloud.hashistack.vault_unseal:
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
tls_verify: "{{ vault_tls_verify }}"
key_shares: "{{ _credentials.vault['keys'] }}"
retries: 5
delay: 5
until: _unseal_status.changed or not _unseal_status.failed
register: _unseal_status

View File

@ -1,90 +1,10 @@
--- ---
- name: "Vault" - name: "Vault"
block: block:
- name: "Create consul token for service registration" - name: "Deploy Vault Control Plane"
when:
- vault_init_cluster
- enable_consul
- vault_enable_service_registration
vars:
_consul_vault_sr_host: "{{ hostvars[groups['consul_servers'][0]].api_interface_address }}"
_consul_vault_sr_port: "{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}"
_consul_vault_sr_scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
block:
- name: "Create consul vault policy"
community.general.consul_policy:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_vault_sr_host }}"
port: "{{ _consul_vault_sr_port }}"
scheme: "{{ _consul_vault_sr_scheme }}"
validate_certs: false
state: present
name: vault-policy
rules: "{{ vault_service_registration_policy }}"
register: _consul_vault_policy
- name: "Create consul vault token"
community.general.consul_token:
token: "{{ _credentials.consul.root_token.secret_id }}"
host: "{{ _consul_vault_sr_host }}"
port: "{{ _consul_vault_sr_port }}"
scheme: "{{ _consul_vault_sr_scheme }}"
validate_certs: false
accessor_id: "{{ _credentials.consul.tokens.vault.accessor_id }}"
secret_id: "{{ _credentials.consul.tokens.vault.secret_id }}"
policies:
- id: "{{ _consul_vault_policy.policy.ID }}"
state: present
when: _consul_vault_policy.changed
- name: "Include ednz_cloud.hashicorp_consul"
ansible.builtin.include_role:
name: ednz_cloud.hashicorp_vault
- name: "Initialize vault cluster" # noqa: run-once[task]
ednz_cloud.hashistack.vault_init:
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
tls_verify: "{{ vault_tls_verify }}"
key_shares: "{{ vault_seal_configuration['key_shares'] }}"
key_threshold: "{{ vault_seal_configuration['key_threshold'] }}"
retries: 5
delay: 5
register: _vault_init_secret
until: not _vault_init_secret.failed
when: vault_init_cluster
- name: "Write vault configuration to file" # noqa: run-once[task] no-handler
ansible.builtin.copy:
content: "{{ _vault_init_secret.state | to_nice_yaml(indent=2) }}"
dest: "{{ sub_configuration_directories.secrets }}/vault.yml"
owner: "{{ lookup('env', 'USER') }}"
group: "{{ lookup('env', 'USER') }}"
mode: "0644"
when:
- vault_init_cluster
- _vault_init_secret.changed
delegate_to: localhost
- name: "Load vault cluster variables necessary for unseal operation"
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: ../misc/load_credentials_vars.yml file: vault_control_plane.yml
- name: "Unseal the bootstrap node" # noqa: run-once[task] no-handler
ednz_cloud.hashistack.vault_unseal:
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
tls_verify: "{{ vault_tls_verify }}"
key_shares: "{{ _credentials.vault['keys'] }}"
when: when:
- vault_init_cluster - "'vault_servers' in group_names"
- _vault_init_secret.changed tags:
register: _vault_unseal_secret - vault_servers
- name: "Unseal all vault nodes"
ednz_cloud.hashistack.vault_unseal:
api_url: "{{ hashicorp_vault_configuration['api_addr'] }}"
tls_verify: "{{ vault_tls_verify }}"
key_shares: "{{ _credentials.vault['keys'] }}"
retries: 5
delay: 5
until: _unseal_status.changed or not _unseal_status.failed
register: _unseal_status